Re: WSE and X509 trouble
From: Softwaremaker (msdn_at_removethis.softwaremaker.net)
Date: 10/15/04
- Next message: Softwaremaker: "Re: Encryptng Soap Attachments"
- Previous message: Softwaremaker: "Re: Questions about certificates"
- In reply to: Julie Lerman: "Re: WSE and X509 trouble"
- Next in thread: andrea: "Re: WSE and X509 trouble thanks to julie and something for codemaker"
- Reply: andrea: "Re: WSE and X509 trouble thanks to julie and something for codemaker"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 16 Oct 2004 07:16:29 +0800
I think Julie has done a great job answering your questions. I would just
like to add a couple of lines wrt to policy files.
> > server is a web service using policy files to add security requirement
> > to the project.
> >
> --I wouldn't define it quite this way because a) you do not always use
> policy files and b) a client can also use a policy file. First let me just
> tell you how I define a policy file. It gives the requester or the
responder
> rules to live by. If it's the requester the rules could be something like
> ...any time I send out a request, it should be encrypted or any time I
> recieve a message I won't look at it unless it is signed. So these rules
can
> get placed on either end. Make sense?
> The server itself is the HOST of the web service. A web server is actually
> an application (eg. IIS) but some people just think of it as the box that
> IIS (or whatever) is on..which works for me.
[SWM] Think of Policy files as a level higher than your WSDL File. It
carries assertions which makes it slightly different from a schema file. It
tells you what your message MUST do instead of what it should look like.
hth.
-- Thank you very much. Warmest Regards, Softwaremaker http://www.softwaremaker.net/blogs ========================================= "Julie Lerman" <jlermanATNOSPAMPLEASEthedatafarm.com> wrote in message news:#WXUOdrsEHA.636@TK2MSFTNGP09.phx.gbl... > Andrea- > I'm going to try to help you with some of the basic stuff here as I have > just been through it myself and then maybe one of the more knowledgable > people can fill in any blanks. I will make the comments in line. > > "andrea" <a.canade@retis.it> wrote in message > news:5c884a8f.0410150044.1e0892cd@posting.google.com... > > Hi all > > > > i've some question about security with x509 that are not clear to me > > :( > > > > are these steps correct to make a security soap based test > > application? > > > > terminology: > > client is a console application that send signed soap request and > > receive signed soap response or faults... > > -- A client can be any client of the web service - but you've got the right > concept. It can be a console app, a windows app, a web application, a mobile > app (pocket pc, palm os), or even another web service. But it's basically > the initiator of the request. The thing that will be asking the web service > to do something for it. > > > > > server is a web service using policy files to add security requirement > > to the project. > > > --I wouldn't define it quite this way because a) you do not always use > policy files and b) a client can also use a policy file. First let me just > tell you how I define a policy file. It gives the requester or the responder > rules to live by. If it's the requester the rules could be something like > ...any time I send out a request, it should be encrypted or any time I > recieve a message I won't look at it unless it is signed. So these rules can > get placed on either end. Make sense? > The server itself is the HOST of the web service. A web server is actually > an application (eg. IIS) but some people just think of it as the box that > IIS (or whatever) is on..which works for me. > > > > > > SERVER > > > > 1) i create a webservice (stupid: only a string Repeat(string word) > > web-method) > > i configure the solution with WSE, particularry i set on security tab > > LocalMachine as store location > > and policy files with a default endpoint... > > ---okay > > > > at this point the wizard start... i chose to make a secure server > > i check use signed request > > i check use signed response then next... > > ---okay > > > > > i choose X509 certificate > > > > now wizard tell me to choose the certificate to use for client > > authentication?' > > what does this mean ?? > > is the certificate inserted on the soap request by client?... i mean > > so.. > > --- since you chose to require that the incoming request be signed AND the > outgoing request be signed, there will be to different X509 certificates > involved. The client will use IT's private X509 certificate to sign it's > message. Therefore, the server will need the public version of that > certificate to verify the signature. So the wizard needs you to tell it > which certifcate in your certificate store is the one that represents the > public key portion of the client's X509 certificate. It took me a while to > get these things sorted out in my head - I hope I've explained it clearly > enough. > > > i insert anything and choose next and complete the wizard > > --"anything" could create a problem if it's not the correct certificate :-) > > > > > now i build and my service is up !! > > > > CLIENT > > 2) soap communication with digiatal certificate mean that the client > > buy a certifcate from (i said one) "verisign" for example... > > it is correct? > > --if you want to sign the outgoing message from the client and you are > talking about usign X509 certificates, then basically yes . There are other > ways to sign a message from the client also. > > > > > the client put the certificate in his Store CurrentUser store > > but what is the location? Trusted? People? > > --this is where I have limited knowledge that is based on only my limited > experience. What I have worked with is with the certificate going into the > Current User - Personal Store. That is only then accessible by me when I > have logged in to the computer with the proper windows account. > > The best walkthrough I have seen for installing the certificates for WSE is > in the Hands on Lab which is on this page: > http://msdn.microsoft.com/webservices/building/wse It shows you how to > install the sample certificates, but it's a good lesson. > > > > 2) > > I create a client application > > i add a proxy created with wsdl.exe > > i change the base class of the proxy to make it work with WSE > > --(in visual studio) if you have the client configured to work with WSE2 and > you make a web reference to the wse2 enabled web service, then the proxy > should already be configured correctly. It will actually make two proxy > classes for you ...one against wse and the other just normal. (This has been > my experience - there may be cases where it is not so nicely automatic...) > > > > > i enable WSE for my application > > --see above - do this FIRST and then you can skip some of the above steps > :-) > > > > > NOW must i Add the policy file created on server side? > > or must i create a new policy file for client security?? > > > > --you will create a new policy file for the client. If you use the wse > settings tool, it even asks if you are creating hte policy for a service or > for a client. > > > > i've created a new policy file > > but the wizard > > - tell me to add a certificate site in the current-user personal store > > (but the certificate must not be inserted into the Thrusted store? ) > > - tell me to choose another certificate to authenticate the service > > what does this mean? i've only one certificate > > --see above in response to this question on the web service. If you have > said sign out going requests and require that incoming responses be signed - > you are talking about two completely separate certificates. You need the > CLIENT's private key to sign outgoing messages and the public key SERVER's > certificate to verify incoming messages. > > > > > > thank you for patience > > --ahh - it just takes a lot of patience to learn this stuff. I definitely > took a long time because I also asked WHY WHY WHY every step of the way!! > :-) > > julie > > > > andrea > >
- Next message: Softwaremaker: "Re: Encryptng Soap Attachments"
- Previous message: Softwaremaker: "Re: Questions about certificates"
- In reply to: Julie Lerman: "Re: WSE and X509 trouble"
- Next in thread: andrea: "Re: WSE and X509 trouble thanks to julie and something for codemaker"
- Reply: andrea: "Re: WSE and X509 trouble thanks to julie and something for codemaker"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
Loading
